dpv icon indicating copy to clipboard operation
dpv copied to clipboard
verified publisher icon w3c

Provide concepts for Data Breach

Open coolharsh55 opened this issue 3 years ago • 7 comments

This issue is a placeholder for future work regarding Data Breach concepts in DPV

coolharsh55 avatar Oct 22 '22 19:10 coolharsh55

Sharing notes from discussions so far between me and Georg Krog (as contributors). These are unlikely to make it to DPV v1, but will be indicated as work-in-progress.

  • DataBreach (event)
  • DataBreachRecord (org measure)
  • DataBreachDetection (tech/org measure)
  • DataBreachHandlingPolicy (org measure)
  • DataBreachImpactAssessment (org measure)
  • DBIAProcedure
  • DBIAOutcome
  • DBIAOutcomeDPANotification
  • DBIAOutcomeDataSubjectNotification
  • DBIAOutcomeHighRisk
  • DataBreachDPANotification
  • DataBreachDataSubjectNotification
  • temporal properties
    • detection timestamp
    • occurence timestamp (or period)
    • notification timestamp (for DPA notification)
    • notification timestamp (for DS notification)
  • hasJustification available for any comments/justifications, e.g. delay in reporting the notification to DPA
  • Details of Breach
    • personal data affected - hasPersonalData
    • scale, frequency, severity - use contextual properties from DPV
    • same for data subjects, amount of data, processing etc.
  • scope
    • can be personal data handling
    • can be specific databases or other technology systems
    • can be localised i.e. at a specific location
  • Vulnerability
    • needs Thing --hasVulnerability--> Vulnerability
    • DataBreach --exploitedVulnerability--> Vulnerability
  • VulnerabilityMitigation
    • is RiskMitigation applied over a Vulnerability to "patch the data breach"
    • new property ~hasVulnerabilityMitigation~
    • to add these to risk ???
  • Communicated By
    • processor to controller, processor to processor
    • DataBreachProcessorNotification
    • DataBreachControllerNotification
    • timestamps same as earlier
  • DataBreachInvestigation
  • DataBreachInvestigationStatus
    • DataBreachInvestigationCompleted
    • DataBreachInvestigationOngoing
    • DataBreachInvestigationPreliminary
    • DataBreachInvestigationComplimentary
  • NotificationStatus
    • NotificationPlanned
    • NotificationOngoing
    • NotificationCompleted
  • Notification Communication Mechanism

coolharsh55 avatar Nov 10 '22 14:11 coolharsh55

Relevant emails to the mailing list:

  1. 27th March - sharing the above concepts https://lists.w3.org/Archives/Public/public-dpvcg/2023Mar/0005.html
  2. 03rd April - analysis of data breach concepts from EDPB guidelines https://lists.w3.org/Archives/Public/public-dpvcg/2023Apr/0000.html

coolharsh55 avatar Apr 14 '23 21:04 coolharsh55

A relevant relation or concept should be provided to indicate the data breach reporting location/process/policy by a DPA, e.g. a webpage or email address.

coolharsh55 avatar Apr 25 '23 21:04 coolharsh55

Proposal shared on mailing list - https://lists.w3.org/Archives/Public/public-dpvcg/2023May/0007.html

coolharsh55 avatar May 26 '23 21:05 coolharsh55

Discussed in Meeting 2023-06-22 with general acceptance of content. Next step is to review the document contents as per email 2023-06-16. See document here: https://harshp.com/dpv-x/data-breach/. Once approved, it will be moved to this repo under /data-breach.

coolharsh55 avatar Jun 24 '23 11:06 coolharsh55

I believe that is to say, it will be moved to github.com/w3c/dpv/data-breach (adding specific link to make it easier to get from here to there).

TallTed avatar Jun 25 '23 03:06 TallTed

On further thoughts about this, the extension should go under GDPR since it is defined as per that law, and also to separate it from other data related breaches (e.g. for non-personal data). So the location would be /dpv-gdpr/data-breach or https://github.com/w3c/dpv/tree/master/dpv-gdpr/data-breach

coolharsh55 avatar Jul 03 '23 08:07 coolharsh55